Bug 10598 - Huawei CDMA PCMCIA card oops
Huawei CDMA PCMCIA card oops
Status: CLOSED CODE_FIX
Product: Drivers
Classification: Unclassified
Component: USB
All Linux
: P1 high
Assigned To: Greg Kroah-Hartman
:
Depends on:
Blocks: 10492
  Show dependency treegraph
 
Reported: 2008-05-03 06:38 UTC by Pavel Kysilka
Modified: 2008-05-14 14:26 UTC (History)
1 user (show)

See Also:
Kernel Version: 2.6.25-current git
Tree: Mainline
Regression: Yes


Attachments
dmesg 2.6.25-latest git (60.44 KB, text/plain)
2008-05-03 06:40 UTC, Pavel Kysilka
Details

Description Pavel Kysilka 2008-05-03 06:38:51 UTC
Latest working kernel version: 2.6.25 pure kernel.
Earliest failing kernel version: 2.6.25 -latest git
Distribution:Debian Testing
Hardware Environment:Lenovo 3000 N100, Huawei EC500 CDMA card
Software Environment:
Problem Description:
I get this oops with my PCMCIA CDMA card.
lsusb not working. Cannot connect to internet.

usb 6-1: New USB device found, idVendor=12d1, idProduct=1001
usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 6-1: Product: Huawei Mobile                 
usb 6-1: Manufacturer: Huawei Technologies   
Initializing USB Mass Storage driver...
BUG: unable to handle kernel NULL pointer dereference at 00000004
IP: [<c025afa7>] scsi_destroy_command_freelist+0x10/0x54
*pde = 00000000 
Oops: 0000 [#1] SMP 
Modules linked in: usb_storage(+) loop firewire_sbp2 usbhid hid ohci_hcd joydev snd_hda_intel snd_hwdep snd_pcm_oss snd_pcm snd_page_alloc snd_mixer_oss arc4 firewire_ohci snd_seq_dummy firewire_core ecb crypto_blkcipher snd_seq_oss crc_itu_t pcmcia snd_seq_midi snd_rawmidi iwl3945 snd_seq_midi_event mac80211 led_class snd_seq snd_timer snd_seq_device ohci1394 thermal snd sdhci battery psmouse ieee1394 cfg80211 ac button processor mmc_core yenta_socket rsrc_nonstatic pcmcia_core intel_agp evdev ehci_hcd uhci_hcd i2c_i801 soundcore usbcore 8139cp 8139too i2c_core

Pid: 1713, comm: modprobe Not tainted (2.6.25 #7)
EIP: 0060:[<c025afa7>] EFLAGS: 00010217 CPU: 0
EIP is at scsi_destroy_command_freelist+0x10/0x54
EAX: f72ff000 EBX: 00000000 ECX: c17fd1cc EDX: fffffffc
ESI: f72ff000 EDI: f72ff018 EBP: f72bfd10 ESP: f72bfd04
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process modprobe (pid: 1713, ti=f72be000 task=f7516070 task.ti=f72be000)
Stack: f72ff000 00000000 00000000 f72bfd20 c025b85e f72ff160 c040cdec f72bfd28 
       c02541de f72bfd3c c01e197c f72ff164 c01e193c f72ff34c f72bfd4c c01e23f9 
       f72ff160 fffffffb f72bfd58 c01e18bb f72ff34c f72bfd60 c0253de1 f72bfd68 
Call Trace:
 [<c025b85e>] ? scsi_host_dev_release+0x6b/0x98
 [<c02541de>] ? device_release+0x37/0x5c
 [<c01e197c>] ? kobject_release+0x40/0x50
 [<c01e193c>] ? kobject_release+0x0/0x50
 [<c01e23f9>] ? kref_put+0x39/0x44
 [<c01e18bb>] ? kobject_put+0x3c/0x41
 [<c0253de1>] ? put_device+0xf/0x11
 [<c025b7c2>] ? scsi_host_put+0xd/0xf
 [<f8b23585>] ? release_everything+0xaa/0xaf [usb_storage]
 [<f8b23df5>] ? storage_probe+0x509/0x5cc [usb_storage]
 [<f88840c2>] ? usb_autopm_do_device+0xb1/0xb9 [usbcore]
 [<f8884b22>] ? usb_probe_interface+0xc0/0xee [usbcore]
 [<c0256007>] ? driver_probe_device+0xa0/0x11b
 [<c02560bc>] ? __driver_attach+0x3a/0x59
 [<c025592a>] ? bus_for_each_dev+0x3b/0x5d
 [<c0255eac>] ? driver_attach+0x14/0x16
 [<c0256082>] ? __driver_attach+0x0/0x59
 [<c0255cac>] ? bus_add_driver+0x97/0x1a7
 [<c02562c3>] ? driver_register+0x71/0xcd
 [<f8884757>] ? usb_register_driver+0x66/0xc0 [usbcore]
 [<f8847022>] ? usb_stor_init+0x22/0x3b [usb_storage]
 [<c013f3f9>] ? sys_init_module+0x17c3/0x1968
 [<c014a0f4>] ? find_lock_page+0x29/0x76
 [<c0103871>] ? sysenter_past_esp+0x6a/0x91
 =======================
Code: e8 d3 72 f0 ff 8b 46 04 e8 cb 72 f0 ff b8 a4 d4 40 c0 e8 89 78 0a 00 5b 5e 5d c3 55 89 e5 57 56 89 c6 53 8d 78 18 eb 1c 8d 53 fc <8b> 42 08 8b 4a 04 89 41 04 89 08 89 5a 08 89 5a 04 8b 46 10 e8 
EIP: [<c025afa7>] scsi_destroy_command_freelist+0x10/0x54 SS:ESP 0068:f72bfd04
---[ end trace ec8749a2ebb6e124 ]---


Steps to reproduce:
Insert pcmcia card into cardbus slot or boot with PCMCIA card inserted.
Comment 1 Pavel Kysilka 2008-05-03 06:40:44 UTC
Created attachment 16014 [details]
dmesg 2.6.25-latest git
Comment 2 Anonymous Emailer 2008-05-03 07:45:29 UTC
Reply-To: akpm@linux-foundation.org

(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

On Sat,  3 May 2008 06:38:53 -0700 (PDT) bugme-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=10598
> 
>            Summary: Huawei CDMA PCMCIA card oops
>            Product: Drivers
>            Version: 2.5
>      KernelVersion: 2.6.25-current git
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: high
>           Priority: P1
>          Component: USB
>         AssignedTo: greg@kroah.com
>         ReportedBy: p.kysilka@aegis.cz
> 
> 
> Latest working kernel version: 2.6.25 pure kernel.
> Earliest failing kernel version: 2.6.25 -latest git
> Distribution:Debian Testing
> Hardware Environment:Lenovo 3000 N100, Huawei EC500 CDMA card
> Software Environment:
> Problem Description:
> I get this oops with my PCMCIA CDMA card.
> lsusb not working. Cannot connect to internet.
> 
> usb 6-1: New USB device found, idVendor=12d1, idProduct=1001
> usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
> usb 6-1: Product: Huawei Mobile                 
> usb 6-1: Manufacturer: Huawei Technologies   
> Initializing USB Mass Storage driver...
> BUG: unable to handle kernel NULL pointer dereference at 00000004
> IP: [<c025afa7>] scsi_destroy_command_freelist+0x10/0x54
> *pde = 00000000 
> Oops: 0000 [#1] SMP 
> Modules linked in: usb_storage(+) loop firewire_sbp2 usbhid hid ohci_hcd joydev
> snd_hda_intel snd_hwdep snd_pcm_oss snd_pcm snd_page_alloc snd_mixer_oss arc4
> firewire_ohci snd_seq_dummy firewire_core ecb crypto_blkcipher snd_seq_oss
> crc_itu_t pcmcia snd_seq_midi snd_rawmidi iwl3945 snd_seq_midi_event mac80211
> led_class snd_seq snd_timer snd_seq_device ohci1394 thermal snd sdhci battery
> psmouse ieee1394 cfg80211 ac button processor mmc_core yenta_socket
> rsrc_nonstatic pcmcia_core intel_agp evdev ehci_hcd uhci_hcd i2c_i801 soundcore
> usbcore 8139cp 8139too i2c_core
> 
> Pid: 1713, comm: modprobe Not tainted (2.6.25 #7)
> EIP: 0060:[<c025afa7>] EFLAGS: 00010217 CPU: 0
> EIP is at scsi_destroy_command_freelist+0x10/0x54
> EAX: f72ff000 EBX: 00000000 ECX: c17fd1cc EDX: fffffffc
> ESI: f72ff000 EDI: f72ff018 EBP: f72bfd10 ESP: f72bfd04
>  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> Process modprobe (pid: 1713, ti=f72be000 task=f7516070 task.ti=f72be000)
> Stack: f72ff000 00000000 00000000 f72bfd20 c025b85e f72ff160 c040cdec f72bfd28 
>        c02541de f72bfd3c c01e197c f72ff164 c01e193c f72ff34c f72bfd4c c01e23f9 
>        f72ff160 fffffffb f72bfd58 c01e18bb f72ff34c f72bfd60 c0253de1 f72bfd68 
> Call Trace:
>  [<c025b85e>] ? scsi_host_dev_release+0x6b/0x98
>  [<c02541de>] ? device_release+0x37/0x5c
>  [<c01e197c>] ? kobject_release+0x40/0x50
>  [<c01e193c>] ? kobject_release+0x0/0x50
>  [<c01e23f9>] ? kref_put+0x39/0x44
>  [<c01e18bb>] ? kobject_put+0x3c/0x41
>  [<c0253de1>] ? put_device+0xf/0x11
>  [<c025b7c2>] ? scsi_host_put+0xd/0xf
>  [<f8b23585>] ? release_everything+0xaa/0xaf [usb_storage]
>  [<f8b23df5>] ? storage_probe+0x509/0x5cc [usb_storage]
>  [<f88840c2>] ? usb_autopm_do_device+0xb1/0xb9 [usbcore]
>  [<f8884b22>] ? usb_probe_interface+0xc0/0xee [usbcore]
>  [<c0256007>] ? driver_probe_device+0xa0/0x11b
>  [<c02560bc>] ? __driver_attach+0x3a/0x59
>  [<c025592a>] ? bus_for_each_dev+0x3b/0x5d
>  [<c0255eac>] ? driver_attach+0x14/0x16
>  [<c0256082>] ? __driver_attach+0x0/0x59
>  [<c0255cac>] ? bus_add_driver+0x97/0x1a7
>  [<c02562c3>] ? driver_register+0x71/0xcd
>  [<f8884757>] ? usb_register_driver+0x66/0xc0 [usbcore]
>  [<f8847022>] ? usb_stor_init+0x22/0x3b [usb_storage]
>  [<c013f3f9>] ? sys_init_module+0x17c3/0x1968
>  [<c014a0f4>] ? find_lock_page+0x29/0x76
>  [<c0103871>] ? sysenter_past_esp+0x6a/0x91
>  =======================
> Code: e8 d3 72 f0 ff 8b 46 04 e8 cb 72 f0 ff b8 a4 d4 40 c0 e8 89 78 0a 00 5b
> 5e 5d c3 55 89 e5 57 56 89 c6 53 8d 78 18 eb 1c 8d 53 fc <8b> 42 08 8b 4a 04 89
> 41 04 89 08 89 5a 08 89 5a 04 8b 46 10 e8 
> EIP: [<c025afa7>] scsi_destroy_command_freelist+0x10/0x54 SS:ESP 0068:f72bfd04
> ---[ end trace ec8749a2ebb6e124 ]---

I think James fixed this very recently, but I'm unsure which commit did this?

<looks>

Nope, maybe it hasn't been merged yet.

I suspect it's this one:

commit 61d7416a286e840d905c18b1e6b0977c036c8656
Author: Alan D. Brunelle <Alan.Brunelle@hp.com>
Date:   Tue Apr 29 16:12:51 2008 -0400

    [SCSI] bug fix for free list handling
    
    commit:
    
    commit 542bd1377a963070bc4a03ff7d2690ddf3920596
    Author: James Bottomley <James.Bottomley@HansenPartnership.com>
    Date:   Mon Apr 21 10:57:20 2008 -0500
    
        [SCSI] fix SLUB WARN_ON
    
    Fixed another problem in free list handling by moving list allocation
    from scsi_host_alloc() to scsi_add_host().  Unfortunately it
    introduced a new failure mode in that hosts can pass straight from
    alloc to put without going through add, leaving the free list
    uninitialised.
    
    Fix by checking shost->cmd_pool on the release path to see if it got
    initialised.
    
    Signed-off-by: Alan D. Brunelle <alan.brunelle@hp.com>
    Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
index 12d69d7..749c9c7 100644
--- a/drivers/scsi/scsi.c
+++ b/drivers/scsi/scsi.c
@@ -469,6 +469,7 @@ int scsi_setup_command_freelist(struct Scsi_Host *shost)
 	cmd = scsi_pool_alloc_command(shost->cmd_pool, gfp_mask);
 	if (!cmd) {
 		scsi_put_host_cmd_pool(gfp_mask);
+		shost->cmd_pool = NULL;
 		return -ENOMEM;
 	}
 	list_add(&cmd->list, &shost->free_list);
@@ -481,6 +482,13 @@ int scsi_setup_command_freelist(struct Scsi_Host *shost)
  */
 void scsi_destroy_command_freelist(struct Scsi_Host *shost)
 {
+	/*
+	 * If cmd_pool is NULL the free list was not initialized, so
+	 * do not attempt to release resources.
+	 */
+	if (!shost->cmd_pool)
+		return;
+
 	while (!list_empty(&shost->free_list)) {
 		struct scsi_cmnd *cmd;
 

Comment 3 Anonymous Emailer 2008-05-03 07:52:45 UTC
Reply-To: James.Bottomley@HansenPartnership.com

On Sat, 2008-05-03 at 07:44 -0700, Andrew Morton wrote:
> (switched to email.  Please respond via emailed reply-to-all, not via the
> bugzilla web interface).
> 
> On Sat,  3 May 2008 06:38:53 -0700 (PDT) bugme-daemon@bugzilla.kernel.org wrote:
> 
> > http://bugzilla.kernel.org/show_bug.cgi?id=10598
> > 
> >            Summary: Huawei CDMA PCMCIA card oops
> >            Product: Drivers
> >            Version: 2.5
> >      KernelVersion: 2.6.25-current git
> >           Platform: All
> >         OS/Version: Linux
> >               Tree: Mainline
> >             Status: NEW
> >           Severity: high
> >           Priority: P1
> >          Component: USB
> >         AssignedTo: greg@kroah.com
> >         ReportedBy: p.kysilka@aegis.cz
> > 
> > 
> > Latest working kernel version: 2.6.25 pure kernel.
> > Earliest failing kernel version: 2.6.25 -latest git
> > Distribution:Debian Testing
> > Hardware Environment:Lenovo 3000 N100, Huawei EC500 CDMA card
> > Software Environment:
> > Problem Description:
> > I get this oops with my PCMCIA CDMA card.
> > lsusb not working. Cannot connect to internet.
> > 
> > usb 6-1: New USB device found, idVendor=12d1, idProduct=1001
> > usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
> > usb 6-1: Product: Huawei Mobile                 
> > usb 6-1: Manufacturer: Huawei Technologies   
> > Initializing USB Mass Storage driver...
> > BUG: unable to handle kernel NULL pointer dereference at 00000004
> > IP: [<c025afa7>] scsi_destroy_command_freelist+0x10/0x54
> > *pde = 00000000 
> > Oops: 0000 [#1] SMP 
> > Modules linked in: usb_storage(+) loop firewire_sbp2 usbhid hid ohci_hcd joydev
> > snd_hda_intel snd_hwdep snd_pcm_oss snd_pcm snd_page_alloc snd_mixer_oss arc4
> > firewire_ohci snd_seq_dummy firewire_core ecb crypto_blkcipher snd_seq_oss
> > crc_itu_t pcmcia snd_seq_midi snd_rawmidi iwl3945 snd_seq_midi_event mac80211
> > led_class snd_seq snd_timer snd_seq_device ohci1394 thermal snd sdhci battery
> > psmouse ieee1394 cfg80211 ac button processor mmc_core yenta_socket
> > rsrc_nonstatic pcmcia_core intel_agp evdev ehci_hcd uhci_hcd i2c_i801 soundcore
> > usbcore 8139cp 8139too i2c_core
> > 
> > Pid: 1713, comm: modprobe Not tainted (2.6.25 #7)
> > EIP: 0060:[<c025afa7>] EFLAGS: 00010217 CPU: 0
> > EIP is at scsi_destroy_command_freelist+0x10/0x54
> > EAX: f72ff000 EBX: 00000000 ECX: c17fd1cc EDX: fffffffc
> > ESI: f72ff000 EDI: f72ff018 EBP: f72bfd10 ESP: f72bfd04
> >  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> > Process modprobe (pid: 1713, ti=f72be000 task=f7516070 task.ti=f72be000)
> > Stack: f72ff000 00000000 00000000 f72bfd20 c025b85e f72ff160 c040cdec f72bfd28 
> >        c02541de f72bfd3c c01e197c f72ff164 c01e193c f72ff34c f72bfd4c c01e23f9 
> >        f72ff160 fffffffb f72bfd58 c01e18bb f72ff34c f72bfd60 c0253de1 f72bfd68 
> > Call Trace:
> >  [<c025b85e>] ? scsi_host_dev_release+0x6b/0x98
> >  [<c02541de>] ? device_release+0x37/0x5c
> >  [<c01e197c>] ? kobject_release+0x40/0x50
> >  [<c01e193c>] ? kobject_release+0x0/0x50
> >  [<c01e23f9>] ? kref_put+0x39/0x44
> >  [<c01e18bb>] ? kobject_put+0x3c/0x41
> >  [<c0253de1>] ? put_device+0xf/0x11
> >  [<c025b7c2>] ? scsi_host_put+0xd/0xf
> >  [<f8b23585>] ? release_everything+0xaa/0xaf [usb_storage]
> >  [<f8b23df5>] ? storage_probe+0x509/0x5cc [usb_storage]
> >  [<f88840c2>] ? usb_autopm_do_device+0xb1/0xb9 [usbcore]
> >  [<f8884b22>] ? usb_probe_interface+0xc0/0xee [usbcore]
> >  [<c0256007>] ? driver_probe_device+0xa0/0x11b
> >  [<c02560bc>] ? __driver_attach+0x3a/0x59
> >  [<c025592a>] ? bus_for_each_dev+0x3b/0x5d
> >  [<c0255eac>] ? driver_attach+0x14/0x16
> >  [<c0256082>] ? __driver_attach+0x0/0x59
> >  [<c0255cac>] ? bus_add_driver+0x97/0x1a7
> >  [<c02562c3>] ? driver_register+0x71/0xcd
> >  [<f8884757>] ? usb_register_driver+0x66/0xc0 [usbcore]
> >  [<f8847022>] ? usb_stor_init+0x22/0x3b [usb_storage]
> >  [<c013f3f9>] ? sys_init_module+0x17c3/0x1968
> >  [<c014a0f4>] ? find_lock_page+0x29/0x76
> >  [<c0103871>] ? sysenter_past_esp+0x6a/0x91
> >  =======================
> > Code: e8 d3 72 f0 ff 8b 46 04 e8 cb 72 f0 ff b8 a4 d4 40 c0 e8 89 78 0a 00 5b
> > 5e 5d c3 55 89 e5 57 56 89 c6 53 8d 78 18 eb 1c 8d 53 fc <8b> 42 08 8b 4a 04 89
> > 41 04 89 08 89 5a 08 89 5a 04 8b 46 10 e8 
> > EIP: [<c025afa7>] scsi_destroy_command_freelist+0x10/0x54 SS:ESP 0068:f72bfd04
> > ---[ end trace ec8749a2ebb6e124 ]---
> 
> I think James fixed this very recently, but I'm unsure which commit did this?
> 
> <looks>
> 
> Nope, maybe it hasn't been merged yet.
> 
> I suspect it's this one:
> 
> commit 61d7416a286e840d905c18b1e6b0977c036c8656
> Author: Alan D. Brunelle <Alan.Brunelle@hp.com>
> Date:   Tue Apr 29 16:12:51 2008 -0400
> 
>     [SCSI] bug fix for free list handling

Yes, that's the fix.  It's in the queue with a pull request sent at the
moment.

James


Comment 4 Adrian Bunk 2008-05-08 13:29:52 UTC
Pavel, can you confirm that it's fixed in 2.6.26-rc1?
Comment 5 Adrian Bunk 2008-05-14 14:26:45 UTC
Please reopen this bug if it's still present with 2.6.26-rc2.

Note You need to log in before you can comment on or make changes to this bug.